1 


1.1 


Ledel 


Background Information on Viruses 


This Chapter provides background information on viruses in general. It describes 
the common virus types, and the advanced methods used by some viruses. 


Common Virus Types 


The following section presents some of the most common virus types and their 
working mechanisms. There are four major types of viruses: 


efile viruses; 

e¢ boot sector viruses; 

¢ companion viruses; 

e cluster or link viruses. 


File Viruses 


The file viruses infect executable programs, usually .com and .exe files, but 
sometimes also overlay files. An overlay file may have any extension, but the most 
common ones are .ovl and .ovr. All these files contain executable code. 


Some viruses infect files of many types. For example, the Amoeba virus infects 
both .com and .exe files. 


A file virus works by finding a suitable executable program, into which it adds its 
own code, typically to the end of the host file. To make sure that it will be executed 
with the parent program, the virus adds a jump instruction to the beginning of the 
program. The jump transfers control to the virus code at the end of the host code. 


After being activated, a virus has free reign in the computer. Normally, the main 
purpose of a virus is to spread the infection. This can be done in different ways. 


i Real Ie 


Resident Viruses. When an infected program is run, the virus may stay resident in 
memory and infect every program executed. Viruses that use this method to 
spread the infection are called Resident Viruses. 


Direct Action viruses. Other viruses may search for a new file to infect when 
activated. After infecting a specified number of new lines, the virus transfers 
control to the original program. Viruses that use this method to spread infection 
are called Direct Action viruses. After the control has been returned to the original 
program, its execution will continue as if nothing happened. 


“Time bomb”. After infecting a computer, a virus can move into its active phase, 
with the intention to attain the specific goal set by the virus author. Transition to 
the active phase can happen on a specific date, or when a certain condition has 
been met. In its active phase, the virus can destroy data or perform other harmful 
actions, like formatting the hard disk. Sometimes, these viruses are relatively 
harmless, perhaps slowing the computer down every Friday or making a ball 
bounce around the screen. Still, even if a virus was not intended to cause damage, 
it can do so due to an incompetence of its author. In addition, a virus can be 
modified, so that a more harmful version of it appears. 


The obvious damages done by a virus amount to deletion of data or programs, 
maybe reformatting or overwriting the hard disk. However, more subtle forms of 
damage are also possible. Some viruses may modify data or introduce typing 
errors into text. Other viruses have no intentional effect other than just replicating. 


The actions of a virus will slow down the start of the infected program. The delay is 
often so slight, that it is almost impossible to notice. There are, however, a few 
viruses, that infect a large number of files at once after being executed. This may 
slow down the start of the infected program by tens of seconds. 


When a virus adds its code to the program, the size of the program will change. 
Some viruses avert this by storing their code in an unused area in the host file. In 
this case, the actual size of the infected program does not change. 


Most viruses try to recognize the infections existing in files and avoid re-infecting 
the already infected programs. Usually, viruses mark infected files with some sort 
of easily distinguishable marker, such as setting the time stamp of the file to a non- 
valid value. This makes it possible to “inoculate” programs against specific viruses, 
by making the files appear infected. Unfortunately, it is not feasible to inoculate a 
program against multiple viruses. 


Boot Sector Viruses 


A boot sector virus infects the boot sector on a hard disk or diskette. Normally, the 
boot sector contains code for loading the operating system files. A boot sector virus 
replaces the original boot sector with a copy of itself and stores the original boot 


sector somewhere else, or simply replaces it totally. When a computer is later 
started from such a diskette, the virus takes control and hides in RAM. It will then 
load and execute the original boot sector and everything will appear to be normal. 
However, all the subsequent diskettes inserted in the computer will be infected 
with the virus. 


Every formatted diskette has a boot sector. All the system and data diskettes, all 
diskettes containing programs or no files at all, have codes in their boot sectors. 
This code is run when a computer is started from this diskette. If the diskette does 
not contain the operating system, the program code in the boot sector will print the 
a message, such as: 


Non-system disk or disk error 


If the diskette is infected with a virus, the virus has probably already infected the 
hard disk. 


The best way to protect your computer against boot sector viruses is to prevent 
starting from diskettes. This can be usually done with the BIOS SETUP of the 
computer, although this option may be not available on older models. 


If the computer has no hard disk, and has to be started form a diskette, always use 
the same diskette, and keep it write-protected. 


Most boot sector viruses infect master boot records (MBRs) on hard disks. This 
causes some problems, since MBRs cannot be cleaned with the DOS format 
command. The best way to disinfect MBR is to use F-PROT Professional. Another 
option is to low-level format the disk, re-partition it with fdisk, format with format 
and restore the contents from a backup. It is also possible to use the fdisk’s 
undocumented /mbr switch, but it won’t necessarily be able to clean the virus. 


Because the size of the boot record on a diskette is limited to 512 bytes, large boot 
sector viruses have to hide part of their code outside the boot sector itself. Many 
viruses create bad sectors on the disk and store their code in these sectors. It is 
also possible to hide code in the area reserved for the main directory. Another 
option is to format an extra track and use it for storing the virus code. Only 
reasonably sophisticated viruses use the last option. 


As there are five different diskette formats available, namely 360K, 1.2 MB, 720K, 
1.44 MB, and 2.88 MB, very few viruses are able to infect all diskette types. A boot 
sector virus will usually hide at the top of memory, thus reducing the amount of 
memory that DOS sees. For example, a computer with 640K might appear to have 
only 639K. It should be noted, that some BIOS modules also take one or two 
kilobytes away from the DOS memory. 


F-PROT searches for boot sector viruses by checking the MBR, the boot sectors, the 
partition table, and other available hiding spaces. 


Important Never start a computer with a hard disk from a diskette because it is 
practically the only way the hard disk can become infected with a boot sector virus. 


1.3 


1.1.4 


Companion Viruses 


Companion viruses use a feature of DOS to force their execution. When several 
files with the same base name, but different extensions are in the same directory, 
the file with the .com extension is executed first. This happens only when the 
command line entry does not include the extension. Companion viruses use this 
feature be selecting an .exe file and creating a .com file with the same name in the 
same directory. The .com file may be hidden and thus would not show up in the 
directory listing. In contains the virus code. 


It is also possible to design a companion virus that takes advantage of the order of 
directories specified in the PATH environment variable, or a virus that would use 
some other way to get its code to be executed before the host program. 


After being activated, such a virus executes the actual program and seizes control 
again after the execution of the program has ended. 


F-PROT Professional recognizes all known companion viruses. 


Cluster Viruses 


The first cluster virus, DIR-Il, found in the end of 1991, is one of the fastest 
spreading viruses in existence. 


A cluster virus does not make any changes to the code of the program it infects. 
Instead, the virus changes the information for the program file in the file system’s 
FAT area. It redirects the pointer for the infected program to its own code, located 
elsewhere on the disk. When the infected program is executed, DOS will load the 
virus code instead of the first cluster of the infected file. 


DIR-II stores its own code in the last two clusters on a disk and reserves the clusters 
in the FAT. After the disk is completely infected, every entry in the FAT for an 
executable file points to the second-to-last cluster on the disk. DIR-IIl saves the 
original address of the first cluster of a file into two unused bytes in the directory 
entry for the file. DIR-II uses this information to execute the original file. 


DIR-II is a stealth virus and is capable of hiding its actions. It infects files every time 
DOS reads a directory server. Use of the dir command, for instance, infects every 
file in the current directory, if DIR-II is active in memory. F-PROT Professional 
eliminates DIR-II by decrypting the original cluster addresses and repairing the FAT 
tables with this information. 


1.2 Advanced Methods Used by Viruses 


The following section presents some of the methods viruses use to hide their 
presence or to otherwise complicate the process of fighting against them. 


The following viruses using advanced methods are described: 


e stealth viruses; 

e self-encrypting, polymorphic, and mutation viruses; 
e retroviruses; 

¢ application specific viruses; 

e multipartition viruses. 


1.2.1 Stealth Viruses 


Several years, ago it seemed that the final weapon against the virus infections was 
found. This omnipotent technique was called checksumming. The checksummers 
calculate an individual search string for each file. By re-calculating the search 
string and comparing it to the original one stored in database, it is possible to 
detect every change made to a file. However, it did not take long for the first file- 
infecting stealth viruses to appear and crush the hopes of final victory in the battle 
against viruses. 


A stealth virus falsifies the information read from a disk so that a program reading 
the disk receives incorrect data. The virus does this by intercepting the interrupt 
vectors used to read data from the disk and supplying the reading program with 
false information. This way, the program reading the disk, receives information 
which incorrectly indicates everything to be all right. This technique can be 
successfully used by both file viruses and boot sector viruses. 


A good example is the virus called Brain, the first known stealth virus. Brain is a 
boot sector virus which transfers the original contents of the boot sector to a 
suitable location on the disk. It’s too big to fit completely on the boot record and 
needs to store a part of its own code on the data area of the disk. 


If a computer is started from an infected diskette, the virus is executed first. After 
taking control, Brain executes the original boot sector. Everything looks normal to 
the user, but Brain observes all disk reads and writes. Whenever a program 
attempts to read the contents of the boot sector, Brain responds by delivering the 
original boot sector code from its hiding place on the disk. Since the program 
actually sees the original code, everything appears to be in order, even though any 
diskette is infected. Brains also redirects all write attempts to the boot sector, 
protecting its own code. 


1.2.2 


Similar stealth methods are also used in viruses that infect files. 


A stealth virus can intercept all disk reads to present false information. For this 
reason, F-PROT has to check RAM memory before execution. If a stealth virus is 
already active, it can easily falsify all disk reads. Even a stealth virus cannot hide 
its code in memory completely, and it is always possible to find an active virus by 
checking all available memory before starting a virus scan. 


Self-Encrypting, Polymorphic, and Mutation Viruses 


Most virus scanners operate by searching for virus search strings. Viruses that 
change their code between infections make it impossible to recognize the virus by 
using the search strings. 


Mutating viruses change their code and sometimes even their functionality 
between operations of the same virus. 


The most common mutation technique is encryption. Many mutational viruses 
encrypt their code with a simple encryption algorithm using as encryption key, for 
instance, the time of the day. This makes all generations of a single virus different 
from each other, except for the decryption routine in the beginning of the virus 
code. 


To make it impossible or inconvenient to use the decryption routine as a search 
string, virus writers often try to minimize the size of the virus. This is based on the 
maxim, that very short search strings should not be used because the possibility of 
finding the same byte sequence in normal programs increases. 


Most viruses encrypt themselves only at the time of infection, but there are some 
that do it while they are resident in memory. Whale is one of these very complex 
and sophisticated viruses. 


Bulgarian virus writer Dark Avenger has created a virus mutation engine, called 
MtE, or Dark Avenger’s Mutation Engine. The MtE can easily be incorporated into 
any virus. The result is a virus which is functionally similar to the original virus, but 
is attached to the host program in one of the endless variety of different versions. 
The MtE is distributed through underground bulletin boards as an object file that 
can be linked to any old or new virus. 


It is extremely hard to isolate a search string from an MtE-encrypted virus that 
could be found in the next generation of the same virus. The encryption algorithm 
used by MtE is so advanced that only a single common byte can be found in all 
MtE-encrypted files. Furthermore, the location of this byte varies. The common 
instruction is JNZ (lump if Not Zero), which can be found in practically every 
program available. 


1.2.3 


The MtE uses many different encryption algorithms and randomly adds extra bytes 
to the decryption routines. 


MtE is not the only known mutation generator. There are more than ten different 
mutation engines in circulation, and there are several polymorphic viruses that 
have been created without the help of an external generator. 


There are other methods to generate mutating viruses, besides encrypting their 
code. One is to build the virus from very small modules that can be swapped inside 
the code without any functional harm. 


The methods used to find mutational viruses are called algorithmic methods. A 
large part of the latest viruses must be identified by algorithmic methods, because 
search strings cannot be used due to the structure of the viruses. F-PROT 
Professional and F-CHECK use such methods. 


Retroviruses 


The actions of some viruses are intentionally directed against known anti-virus 
programs. A virus may search for files from an anti-virus package and delete them. 
An active virus can identify the execution of an anti-virus product and simply crash 
the computer. As a result, the user may think that the virus scanner itself causes 
the crashes. 


Other viruses do not aim for the destruction of an anti-virus product. A more 
devious way to incapacitate an anti-virus program is to make certain changes to 
the program itself. The virus scanner would still appear to be working normally, but 
it would not find any viruses. 


The Peach virus is a good example of a retrovirus. It is a standard file virus, but has 
some features hat are directed against anti-virus software. When Peach 

infects .exe files, it checks a certain byte from the file’s header information. If the 
byte has a certain value, the file will not be infected. Peach apparently is trying to 
verify whether the file is a certain known program. Virus experts have yet to find 
out which program Peach is trying to avoid. 


After being executed twenty seven times, Peach attacks the Central Point Anti- 
Virus (CPAV) software if it is installed in the same computer. CPAV saves its search 
strings in a single file on a disk and does not check for existence of the search 
string file. Peach deletes this file and CPAV will appear to work normally, but in fact 
will not recognize any viruses because of the absence of the search string file. 


Due to the existence of retroviruses, F-PROT Professional utilizes many techniques 
against the tampering of F-PROT files. 


1.2.4 


12:5 


L2 


Application Specific Viruses 


Some viruses look for a certain application from the computers they have infected. 
Examples of this virus type are: 


Macho/Syslock Looks for the string “Microsoft” and replaces it with 
“Machosoft”. 
Flip Searches for an unknown application, probably some anti- 


virus software, with a search string. 
DBase Corrupts dBase files. 


AntiCAD Overwrites all hard disks and diskettes upon detecting 
execution of AutoCAD. Also scrambles the CMOS-memory. 


Haifa Looks for assembler (ASM) files and adds a small piece of 
code to the beginning of these files. This code destroys the 
boot sectors of disks. 


Multipartition Viruses 


Multipartition viruses use multiple infection techniques. They can infect different 
types of executable files, boot sectors, master boot records (MBRs), FATs, and 
directories. 


Multipartition viruses have a better chance of surviving a cleaning operation than 
viruses of other types. Even if the virus is disinfected from all program files, it will 
infect them again, if not removed from the boot sector. 


Some multipartition viruses can infect files with extensions other than .com or .exe. 
To find such infections, one should check all files instead of just normal executable 
ones. Tequila is one example of a multipartition virus. It infects both .exe files and 
the master boot records. The virus features encryption mechanisms and advanced 
hiding abilities. 


How Great Is the Virus Threat? 


Viruses are a serious threat to information security. If security is lax, a well- 
designed virus can spread almost unnoticeably from one computer to another. 
Given enough time, a virus can infect virtually all computers and even worse, back- 


ups in an organization. A virus can even corrupt data bit-by-bit. If the designer of 
such virus was sufficiently skillful and devious, the changes can be so minute, that 
it is almost impossible to notice them for a long time. Even if small discrepancies in 
the data are found, they are often thought to be the result of operator errors or 
other human factors. This can be the worst sort of damage, as even the backups 
cannot be trusted after the virus is found. 


After spreading itself during the latency period, a virus can activate and wreak 
havoc in the computers. The extent of such damage can range from the annoying 
to the truly devastating. A serious virus attack can be a catastrophic experience for 
a company. Many companies can be left totally crippled, if the files on their 
computers are wiped out. 


Viruses are set apart from most other information security risks by the fact that 
even regular back-ups are not always a sufficient precaution. Making frequent 
back-ups diminishes the danger of a total disaster in case of a virus attack, but 
since even the back-up copies can be infected or corrupted, other measures are 
needed. 


Even though the likelihood of a disastrous virus infection is small, the danger is 
real and needs to be acknowledged. The costs of developing appropriate 
information security guidelines and purchasing effective anti-virus software are 
very small compared to the possible cost of an uncontrolled virus infection. 


